Adelaide · South Australia
Essential 8, NIST CSF, ISO 27001, APRA CPS 234, SOC 2 and PCI DSS. Space technology, energy, financial services and critical infrastructure. Adelaide-led, framework-anchored, board-defensible. Plus management consulting and AI agentic implementation for South Australian businesses across construction, talent acquisition and Allied Health.
Based in
Adelaide, SA
Our practice operates from Adelaide and delivers across the South Australian mid-market — from the Lot Fourteen and Tonsley precincts through the Australian Space Park at Adelaide Airport and the Adelaide CBD financial district.
Framework expertise
NIST CSF
Tier 1–4
Essential 8
ACSC ISM
ISO 27001:2022
ISMS
APRA CPS 234
Information Security
SOC 2
Type I & II
PCI DSS
v4.0
Built for South Australia's mid-market
South Australia's mid-market sits inside three of the country's most strategically important sectors. The space technology ecosystem at Lot Fourteen — home to the Australian Space Agency, the SmartSat CRC and a growing constellation of satellite operators and space-tech scale-ups — demands ISO 27001, Essential 8 Maturity Level 2 and SOCI Act compliance for critical infrastructure operators. The financial mutuals, super funds and Bendigo and Adelaide Bank ecosystem operate under APRA CPS 234 and CPG 234. The energy and resources sector — Santos, Beach, BHP Olympic Dam — sits squarely under the Security of Critical Infrastructure Act.
These obligations don't get solved with an off-the-shelf MSP playbook. They need framework-fluent advisors who can sit across a board paper, a technical control gap and a regulator response in the same week.
We do that work locally. Adelaide-based. National in reach. Big-Four-grade frameworks expertise without the partner overhead.
94%
of ASX-200 companies have suffered a cyber incident in the past two years.
$4.0M
average cost of a data breach in Australia (IBM 2024).
80%
of breaches involve credentials or human error — addressable through Essential 8 and ISO 27001.
What we do
01 / Cyber Security
Advisory through to operations. We work with security committees on strategy, build the ISMS your auditor wants to see, run the red team that finds what your SOC missed, and stand up the managed SOC that watches it all.
02 / Consulting
Digital and cyber transformation work for mid-market enterprises and the boards that govern them. Operating model, M&A cyber due diligence, third-party risk, and trusted-advisor retainers for CISOs without a peer to call.
03 / AI Agentic
AI is now a board-level risk and a board-level opportunity. We help mid-market enterprises run AI readiness assessments, architect secure-by-design AI applications, train sovereign-deployment language models, and stand up the governance to keep regulators happy.
The frameworks your board and auditor care about
Each framework unlocks something tangible — a contract, a regulator sign-off, a cyber insurance discount, a clean audit. We map the ones that fit, then deliver against them.
The global default for measurable cyber posture. We baseline you against the six functions — Govern, Identify, Protect, Detect, Respond, Recover — and chart a Tier 1 to Tier 4 maturity path.
Best for: Any mid-market enterprise; international supply chains
The Australian Cyber Security Centre's eight mitigation strategies. Required for federal and SA Government supply chain, baseline for cyber insurance, baseline expectation for any Australian board. We deliver Maturity Level 1, 2 or 3.
Best for: AU mid-market; gov supply chain; space; critical infrastructure
The international standard for information security management. Door-opener for enterprise contracts, international clients and tendering. Full ISMS build, control implementation, internal audit and external certification preparation.
Best for: Mid-market selling to enterprise or international
Australia's prudential information security standard for ADIs, insurers and superannuation entities. We help mid-market financial services demonstrate that their information security capability is commensurate with the size and complexity of their threat environment.
Best for: ADIs, insurers, super funds, financial mutuals
Required by any US-headquartered customer evaluating an Australian service provider. We scope the trust services criteria, fix the gaps, and shepherd you through a clean Type I and a sustained Type II.
Best for: SaaS, BPO, professional services with US clients
If you handle cardholder data, the standard is non-negotiable. We scope your environment, reduce scope where possible, and run the gap and remediation against PCI DSS v4.0 — saving you the cost of an over-scoped audit.
Best for: Merchants, payment processors, online retailers
Vulnerability assessment and penetration testing (OWASP, OSSTMM, CVSS), red team exercises (MITRE ATT&CK, Cyber Kill Chain), compromise assessments and table-top exercises. Compliance documents are necessary. Demonstrating your controls held up under simulated attack is what the audit committee actually wants.
Where we work
We work in industries where cyber is a board topic, not an IT problem.
ISO 27001, Essential 8, SOCI Act and AS 9100 for satellite operators, ground station infrastructure and space-tech scale-ups across Lot Fourteen, the Australian Space Park and Mawson Lakes.
APRA CPS 234, ISO 27001, third-party risk, SOC services for ADIs, mutuals, insurers and super funds.
SOCI Act compliance, ICS/OT security assurance, ransomware prevention for energy, water and resources operators.
Australian Privacy Act, Notifiable Data Breaches, clinical system security for hospitals, research institutes and biotech.
Client data confidentiality, partner-level risk management, secure AI adoption for legal, accounting and consulting firms.
Information Security Manual (ISM) alignment, PSPF support, secure service delivery for state and federal agencies.
Plan and innovate in Adelaide
Beyond our cyber security practice, Adelaide is where most of our cross-pillar engagements run. Management consulting and AI agentic work for South Australian businesses across construction, talent acquisition, allied health, hand therapy and psychology.
An Adelaide construction firm engaged us for bid strategy and back-office operating model uplift as they scaled from a regional contractor to a multi-state operation.
A South Australian recruitment firm asked us to redesign their employer brand strategy and recruitment technology stack to compete in a tightening talent market.
Multiple Adelaide Allied Health, hand therapy and psychology practices have engaged our AI Agentic practice for clinic front-of-house automation — building on the architecture proven in Melbourne.
AI Agentic Implementation
AI is now both a board-level opportunity and a board-level risk. The same agentic systems that automate operations and unlock analyst-grade research at scale also open new attack surfaces most security teams haven't fully mapped — prompt injection, over-privileged tool access, data exfiltration through agent memory, model supply-chain risk.
Our AI Agentic practice treats AI the way we treat cyber: framework-anchored, secure by design, governance-first. From AI Integration Readiness Assessments using the AI Risk Management Framework, through to sovereign GPU deployment for on-premises model hosting where data residency matters.
01
Identify the workflow worth automating
02 · gate
Data classification & permission review
03
Architect secure agent design & guardrails
04
Build, evaluate & red-team the agent
05 · gate
Audit trail & identity controls verification
06
Production deploy & ongoing managed run
How we work
A repeatable engagement model designed for boards, audit committees and risk functions. Every phase produces an artefact you can show your regulator, your insurer and your customers.
01 · Discover
A scoped discovery session with executives and risk leaders. We listen, map the threat landscape and the regulatory obligations, and align on the outcome the engagement needs to deliver.
02 · Assess
Framework-anchored assessment — NIST CSF, Essential 8, ISO 27001, APRA CPS 234 or the relevant standard. Gap report, control mapping and a quantified view of residual risk.
03 · Roadmap
Prioritised, costed, sequenced remediation roadmap. Tier badges, programme governance, capability uplift plan and reporting cadence.
04 · Operate
Programme execution, ongoing managed services, board reporting and continuous improvement. Our model assumes a multi-year relationship.
Who you're buying
Our principal consultants have run cyber practices at Big Four firms, held CISO roles at Australian banks, and advised boards and C-level executives as independent directors. Our delivery team combines blue-team and red-team specialists, AI solution architects, and infrastructure engineers with backgrounds in cloud and on-premises security.
20+ yrs
Principal consultant cyber experience
Big Four
Former senior leadership in cyber advisory practices
CISO
Former Chief Information Security Officer at an Australian bank
Board Advisor
Independent advisor to boards and C-level executives
CRISC, CISSP, CC
Certified across risk, security and AI
ISO 27001 LA
Lead Auditor certified for certification readiness
OSCP, Blue + Red
Penetration testing, offensive security and incident response
AI Architect
5+ years deploying AI infrastructure at enterprise scale
Start here
A 30-minute discovery call with a principal consultant. We listen to the obligation, the risk and the constraints, and tell you honestly whether we can help — and where to start if we can.
Book a discovery call →Common questions
For most South Australian mid-market enterprises, you'll work with the same calibre of senior consultants in our practice as you would on the Big Four bench — without the partner overhead built into their day rate, and with significantly more accountability. We staff engagements with the people who actually deliver, and our principal consultants stay on the work from kickoff to closeout. For Adelaide-headquartered businesses there's also a meaningful relationship advantage — we're an hour from your board table, not a flight.
Our practice operates with credentials suited to mid-market regulated work: CRISC, CISSP, CC, ISO 27001 Lead Auditor, and OSCP across the team. For specific clearance, IRAP, PROTECTED-level work, or AS 9100 aerospace quality requirements, scope and clearance status are confirmed during discovery — we'll be direct about whether we can do the work, partner with someone who can, or recommend a specialist.
Yes. APRA CPS 234 is one of our core domains for South Australian financial services. We work with mid-market ADIs, mutuals, insurers and super funds on information security capability assessment, third-party risk under CPG 234, incident notification readiness, and the ongoing tripartite assurance APRA expects.
For SOCI Act compliance (energy, water, ports, data centres, space ground station operations) we run risk management programs, critical infrastructure risk management plan (CIRMP) support, and the cyber control uplift that comes with it. ICS/OT environments get our specialist OT security assurance practice.
Discovery calls happen within the week. Scoping documents and proposals typically follow within 5–10 business days depending on engagement complexity. For Starter-tier work (compromise assessments, table-tops, penetration tests) we can frequently mobilise within 2–3 weeks. Growth and Enterprise engagements have longer mobilisation given resourcing and governance.
Both. Roughly half our client relationships are programme or managed services (SOC, threat intelligence, AI managed services, board advisory retainers). The other half start with a discrete Starter or Growth engagement and continue as the relationship deepens. We optimise for multi-year relationships, not transactional project work.
Yes, this is our AI Agentic pillar. AI Integration Readiness Assessments anchored to the AI Risk Management Framework, secure-by-design architecture for new AI applications, training of focused-domain Small Language Models, sovereign GPU infrastructure for on-premises deployment where data residency matters, and the governance frameworks (AI RMF, Voluntary AI Safety Standard, EU AI Act for international clients) to keep regulators and the audit committee satisfied.